There are several changes in recent updates that provide new ways to input
packets and output event data. Much of the change is driven by development
and test needs but you may find the new capabilities useful as well. Here
is a brief summary:
Hext DAQ Added
Input raw packets or TCP payload with 4-tuple. Input
in hex or quoted text.
Configure with:
stream_user = { }
Use with:
--daq-dir ~/install/lib/snort_extra/daqs
--daq hext
[--daq-var dlt=1] # optional raw ethernet
-r | -i tty
Example input:
$packet 10.1.2.3 48620 -> 10.9.8.7 80
"GET / HTTP/1.1\r\n"
"Host: localhost\r\n"
"\r\n"
Example raw eithernet input (set the dlt):
# 0 [98]
x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 54 00 03 # ..............E..T..
x00 00 40 06 5C 8E 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00 # ..@.\............P..
x00 02 00 00 00 02 50 10 20 00 7D D5 00 00 47 45 54 20 2F 74 # ......P. .}...GET /t
x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48 # rigger/1 HTTP/1.1..H
x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A 0D 0A # ost: localhost....
Additional commands are available to specify packets, clients, and
servers. Check the user manual for details.
File DAQ Added
Do detection, file type identification, and file
signature calculations on plain files (no packets needed).
Configure with:
stream_file = { }
file_id =
{
enable_type = true,
enable_signature = true,
file_rules = file_magic
}
Use with:
--daq file
-r
This will print out file type and signature stats so you can see how Snort++ will
process a file w/o having to put it in a pcap. You can also use --pcap-dir
and --max-packet-threads to quickly process a whole directory. Use -s to
process with larger "packets" (ie buffers). Note that the output is still
being cleaned up.
In addition to basic file processing, you can do the usual detection with
IPS rules.
Socket DAQ Added
Snort will accept up to two connections and bridge
them together, passing the payload through detection.
Configure with:
stream_user = { }
Use with:
--plugin-path ~/install/lib/snort_extra
--daq-dir ~/install/lib/snort_extra/daqs
--daq socket
For example, you can do:
$ nc localhost 8000
client
$ nc localhost 8000
server
"client" or "server" are output to indicate which end of the flow you are
on.
Socket Codec Added
Required to use the socket DAQ. Also required to
use the hext DAQ when not in raw mode. The socket codec counts include packets you don't explicitly generate. The
socket DAQ will automatically generate a start and end of flow packets as
connections are opened and closed. The hext DAQ automatically generates an
end of flow packet at end of file.
Hext Logger Added
Dump TCP stream payload with 4-tuple information
(default mode) or all full packets (raw mode) suitable for input with the
hext DAQ.
Use with:
--plugin-path ~/install/lib/snort_extra
-L hext:
To get:
$packet 10.1.2.3 48620 -> 10.9.8.7 80
x47 45 54 20 2F 74 72 69 67 67 65 72 2F 31 20 48 54 54 50 2F # GET /trigger/1 HTTP/
x31 2E 31 0D 0A 48 6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 # 1.1..Host: localhost
x0D 0A 0D 0A # ....
$packet 10.9.8.7 80 -> 10.1.2.3 48620
x48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E # HTTP/1.1 200 OK..Con
x74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 32 0D 0A 0D 0A # tent-Length: 12....
CSV Logger Updated
This logger was completely rewritten and is a good
choice for logging a custom format with a simple config.
With -A csv you get the default format for alerts like this (timestamp,
pkt_num, proto, pkt_gen, dgm_len, dir, src_ap, dst_ap, rule, action):
08/01-04:55:34.510034, 573345, TCP, raw, 940, C2S, 192.168.22.13:1357, 199.221.131.110:80, 1: 5808:9, allow
08/01-04:58:18.107004, 623410, TCP, stream_tcp, 401, C2S, 192.168.16.25:3510, 207.46.134.62: 80, 1:18758:8, allow
Test Logger Deleted
This logger is obviated with the updated CSV
logger which can be configured to output in the old default test format.
Use:
--lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"
To get:
573345 1 5808 9
623410 1 18758 8
